FortiManager - Incorrect user management behavior leads to passwordless admin
Fortinet PSIRT Advisories
Fortinet PSIRT Contact:
Website: https://fortiguard.fortinet.com/faq/psirt-contact
FG-IR-22-371
Final
1
1
2023-01-03T00:00:00
Current version
2023-01-03T00:00:00
2023-01-03T00:00:00
An incorrect user management vulnerability [CWE-286] in the FortiManager VDOM creation component may allow an attacker to access a FortiGate without a password via newly created VDOMs after the super_admin profiled admin account is deleted.
None
Improper access control
At leastFortiManager version 7.0.0 through 7.0.1FortiManager version 6.4.0 through 6.4.7FortiManager version 6.2.0 through 6.2.8
Please upgrade to FortiManager version 7.0.2 or above Please upgrade to FortiManager version 6.4.8 or above Please upgrade to FortiManager version 6.2.9 or above
FortiManager 7.0.1
FortiManager 7.0.0
FortiManager 6.4.7
FortiManager 6.4.6
FortiManager 6.4.5
FortiManager 6.4.4
FortiManager 6.4.3
FortiManager 6.4.2
FortiManager 6.4.1
FortiManager 6.4.0
FortiManager 6.2.8
FortiManager 6.2.7
FortiManager 6.2.6
FortiManager 6.2.5
FortiManager 6.2.4
FortiManager 6.2.3
FortiManager 6.2.2
FortiManager 6.2.1
FortiManager 6.2.0
FortiManager - Incorrect user management behavior leads to passwordless admin
CVE-2022-45857
FortiManager-7.0.1
FortiManager-7.0.0
FortiManager-6.4.7
FortiManager-6.4.6
FortiManager-6.4.5
FortiManager-6.4.4
FortiManager-6.4.3
FortiManager-6.4.2
FortiManager-6.4.1
FortiManager-6.4.0
FortiManager-6.2.8
FortiManager-6.2.7
FortiManager-6.2.6
FortiManager-6.2.5
FortiManager-6.2.4
FortiManager-6.2.3
FortiManager-6.2.2
FortiManager-6.2.1
FortiManager-6.2.0
6
CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:H/E:F/RL:O/RC:C
https://fortiguard.fortinet.com/psirt/FG-IR-22-371
FortiManager - Incorrect user management behavior leads to passwordless admin
Reference>